1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
46 .RB "[ " replay-seq-hi
48 .RB "[ " replay-oseq-hi
53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
57 .IR ADDR "[/" PLEN "] ]"
61 .IR EXTRA-FLAG-LIST " ]"
66 .B "ip xfrm state allocspi"
84 .BR "ip xfrm state" " { " delete " | " get " } "
92 .BR "ip xfrm state " deleteall " ["
102 .BR "ip xfrm state " list " ["
113 .BR "ip xfrm state flush" " [ " proto
117 .BR "ip xfrm state count"
132 .BR esp " | " ah " | " comp " | " route2 " | " hao
135 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
139 .RB "{ " enc " | " auth " } "
140 .IR ALGO-NAME " " ALGO-KEYMAT " |"
143 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
146 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
153 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
156 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
160 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
161 .BR af-unspec " | " align4 " | " esn
166 .IR ADDR "[/" PLEN "] ]"
168 .IR ADDR "[/" PLEN "] ]"
179 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
184 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
190 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
193 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
199 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
202 .RB "{ " byte-soft " | " byte-hard " }"
205 .RB "{ " packet-soft " | " packet-hard " }"
210 .RB "{ " espinudp " | " espinudp-nonike " }"
211 .IR SPORT " " DPORT " " OADDR
214 .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
217 .IR EXTRA-FLAG " := "
221 .BR "ip xfrm policy" " { " add " | " update " }"
241 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
244 .BR "ip xfrm policy" " { " delete " | " get " }"
245 .RI "{ " SELECTOR " | "
260 .BR "ip xfrm policy" " { " deleteall " | " list " }"
262 .RI "[ " SELECTOR " ]"
277 .B "ip xfrm policy flush"
282 .B "ip xfrm policy count"
285 .B "ip xfrm policy set"
287 .IR LBITS " " RBITS " ]"
289 .IR LBITS " " RBITS " ]"
294 .IR ADDR "[/" PLEN "] ]"
296 .IR ADDR "[/" PLEN "] ]"
306 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
311 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
317 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
321 .BR in " | " out " | " fwd
329 .BR allow " | " block
332 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
336 .BR localok " | " icmp
339 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
345 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
348 .RB "{ " byte-soft " | " byte-hard " }"
351 .RB "{ " packet-soft " | " packet-hard " }"
355 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
381 .BR esp " | " ah " | " comp " | " route2 " | " hao
385 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
389 .BR required " | " use
392 .BR "ip xfrm monitor" " ["
399 .IR LISTofXFRM-OBJECTS " ]"
402 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
405 .IR XFRM-OBJECT " := "
406 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
413 xfrm is an IP framework for transforming packets (such as encrypting
414 their payloads). This framework is used to implement the IPsec protocol
417 object operating on the Security Association Database, and the
419 object operating on the Security Policy Database). It is also used for
420 the IP Payload Compression Protocol and features of Mobile IPv6.
424 ip xfrm state add add new state into xfrm
425 ip xfrm state update update existing state in xfrm
426 ip xfrm state allocspi allocate an SPI value
427 ip xfrm state delete delete existing state in xfrm
428 ip xfrm state get get existing state in xfrm
429 ip xfrm state deleteall delete all existing state in xfrm
430 ip xfrm state list print out the list of existing state in xfrm
431 ip xfrm state flush flush all state in xfrm
432 ip xfrm state count count all existing state in xfrm
437 is specified by a source address, destination address,
438 .RI "transform protocol " XFRM-PROTO ","
439 and/or Security Parameter Index
441 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
446 specifies a transform protocol:
447 .RB "IPsec Encapsulating Security Payload (" esp "),"
448 .RB "IPsec Authentication Header (" ah "),"
449 .RB "IP Payload Compression (" comp "),"
450 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
451 .RB "Mobile IPv6 Home Address Option (" hao ")."
455 contains one or more algorithms to use. Each algorithm
461 .RB "encryption (" enc "),"
462 .RB "authentication (" auth " or " auth-trunc "),"
463 .RB "authenticated encryption with associated data (" aead "), or"
464 .RB "compression (" comp ")"
470 .RB "(for all except " comp ")"
473 which may include both a key and a salt or nonce value; refer to the
476 .RB "(for " auth-trunc " only)"
477 the truncation length
481 .RB "(for " aead " only)"
482 the Integrity Check Value length
489 Encryption algorithms include
490 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
491 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
492 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
494 Authentication algorithms include
495 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
496 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
498 Authenticated encryption with associated data (AEAD) algorithms include
499 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
501 Compression algorithms include
502 .BR deflate ", " lzs ", and " lzjh "."
508 specifies a mode of operation for the transform protocol. IPsec and IP Payload
509 Compression modes are
510 .BR transport ", " tunnel ","
511 and (for IPsec ESP only) Bound End-to-End Tunnel
513 Mobile IPv6 modes are route optimization
516 .RB "(" in_trigger ")."
520 contains one or more of the following optional flags:
521 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
522 .BR af-unspec ", " align4 ", or " esn "."
526 selects the traffic that will be controlled by the policy, based on the source
527 address, the destination address, the network device, and/or
532 selects traffic by protocol. For the
533 .BR tcp ", " udp ", " sctp ", or " dccp
534 protocols, the source and destination port can optionally be specified.
536 .BR icmp ", " ipv6-icmp ", or " mobility-header
537 protocols, the type and code numbers can optionally be specified.
540 protocol, the key can optionally be specified as a dotted-quad or number.
541 Other protocols can be selected by name or number
546 sets limits in seconds, bytes, or numbers of packets.
550 encapsulates packets with protocol
551 .BR espinudp " or " espinudp-nonike ","
552 .RI "using source port " SPORT ", destination port " DPORT
553 .RI ", and original address " OADDR "."
557 used to match xfrm policies and states
561 used to set the output mark to influence the routing
562 of the packets emitted by the state
568 ip xfrm policy add add a new policy
569 ip xfrm policy update update an existing policy
570 ip xfrm policy delete delete an existing policy
571 ip xfrm policy get get an existing policy
572 ip xfrm policy deleteall delete all existing xfrm policies
573 ip xfrm policy list print out the list of xfrm policies
574 ip xfrm policy flush flush policies
579 filter (remove) all socket policies from the output.
583 selects the traffic that will be controlled by the policy, based on the source
584 address, the destination address, the network device, and/or
589 selects traffic by protocol. For the
590 .BR tcp ", " udp ", " sctp ", or " dccp
591 protocols, the source and destination port can optionally be specified.
593 .BR icmp ", " ipv6-icmp ", or " mobility-header
594 protocols, the type and code numbers can optionally be specified.
597 protocol, the key can optionally be specified as a dotted-quad or number.
598 Other protocols can be selected by name or number
603 selects the policy direction as
604 .BR in ", " out ", or " fwd "."
608 sets the security context.
613 .BR main " (default) or " sub "."
618 .BR allow " (default) or " block "."
622 is a number that defaults to zero.
626 contains one or both of the following optional flags:
627 .BR local " or " icmp "."
631 sets limits in seconds, bytes, or numbers of packets.
635 is a template list specified using
636 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
640 is specified by a source address, destination address,
641 .RI "transform protocol " XFRM-PROTO ","
642 and/or Security Parameter Index
644 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
649 specifies a transform protocol:
650 .RB "IPsec Encapsulating Security Payload (" esp "),"
651 .RB "IPsec Authentication Header (" ah "),"
652 .RB "IP Payload Compression (" comp "),"
653 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
654 .RB "Mobile IPv6 Home Address Option (" hao ")."
658 specifies a mode of operation for the transform protocol. IPsec and IP Payload
659 Compression modes are
660 .BR transport ", " tunnel ","
661 and (for IPsec ESP only) Bound End-to-End Tunnel
663 Mobile IPv6 modes are route optimization
666 .RB "(" in_trigger ")."
671 .BR required " (default) or " use "."
677 ip xfrm policy count count existing policies
681 Use one or more -s options to display more details, including policy hash table
688 ip xfrm policy set configure the policy hash table
692 Security policies whose address prefix lengths are greater than or equal
693 policy hash table thresholds are hashed. Others are stored in the
694 policy_inexact chained list.
698 specifies the minimum local address prefix length of policies that are
699 stored in the Security Policy Database hash table.
703 specifies the minimum remote address prefix length of policies that are
704 stored in the Security Policy Database hash table.
710 ip xfrm monitor state monitoring for xfrm objects
714 The xfrm objects to monitor can be optionally specified.
719 option is set, the program listens to all network namespaces that have a
720 nsid assigned into the network namespace were the program is running.
721 A prefix is displayed to show the network namespace where the message
725 [nsid 1]Flushed state proto 0
730 Manpage revised by David Ward <david.ward@ll.mit.edu>
732 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
734 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>